Security Flaw: Forgot Password Mechanism Can Circumvent Verification
We have a private customer support portal, available only to "Verified" customers.
To make that work, Freshdesk recommended that we could simply turn off the Email Notification - User Activation Email and verify customers manually.
This does prevent a person who's emailed in an issue from automatically getting an activation email.
When a user visits the portal url they are asked to log in. As they've not been verified, they cannot. So far, so good.
But unfortunately, if they click on the "forgot your password?" link, they are prompted to enter their email address and are sent a link to set a new password.
Once they do this they are verified.
For this mechanism to work:
The forgot password process should check first to see if the user is verified.
If they are not verified:
- If the User Activation Email is enabled: it should be resent with a new timed link.
- If the User Activation Email is not enabled: the user should be sent a message, configurable by a Freshdesk administrator, informing them of what will happen.
If they are verified:
- The password reset should be processed.
9 people have this problem
So, it sounds like the only way to prevent this security issue at this time is to disable the User Activation Email. Is that correct?
- If a person sends an email to your configured support email address
- And then can navigate to the portal login page where the "forgot password" link is
- Then they can force the system to send them a link to let them in
Thanks for the reply and the explanation. Are there plans in the future to tighten security and correct this flaw?
...and I'm sure we're not alone...
We have a feature on the roadmap to address this. We'll let you know once that feature is taken up. It should be sometime at the end of the year
Thanks for the update Abishek.
I may have found a workaround. Clicking the forgot my password link on the front page sends the requester the Requester Notifications>Password Reset Email message. While you can't disable the notification you can remove the password reset link from the message. This would impact your internal users from resetting their passwords with the link as well though. Any ideas on getting around that?
We ran into this as well - would love a supported way to solve this issue!
We have the same issue here, we have a private customer support portal too and a lot of customers can activate themself without our activation.
Please let us know, it's a big problem
This is a problem for us too. On a side note, if you disable the verification emails for requester, is there a rule that you guys have setup for agents to work tickets for manually sending the verification email?
We need a mode for activate new registration, this not seems properly secure.
We completely agree with everyone on this topic and definitely have plans to address it on our roadmap.
Unfortunately, I do not have an ETA as of now to promise upon. Sorry about that! Will surely keep you posted.